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(57) Abstract 

A pnxress (10) for time-stamping a digital docimient is provided. 
The process provides a certificate (20) which not only allows for the 
authentication of a document at a later time but which includes a name 
(18) or nickname (19) which allows for the unique identification of the 
document at a later time. The name (18) or nickname (19) provided In 
accordance with the present invention is not only simple and concise 
but allows for the self-authentication of the document which it refers 
to. The name can be used when two independent parties desire to refer 
to the same unique document in a quick and simple way. 
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DIGITAL DOCUMENT AUTHENTICATION 
, ] ^ SYSTEM FOR PROVIDING A CERTIFICATE WHICH 
AUITIENTICATES AND UNIQUELY IDENTIFIES A DOCUMENT 



Background Of The Invention 

V . / ; . j:.- > . invention relates to a digital document authentication system 
which authenticates and uniquely identifies a document More particularly, this 
iny^ntipn relates to a digital document time-stamping system which provides a 
uniqu^, uscr-fiicndly and cryptographically secure name for a digital document by 
meaps of an authentication certificate. 

In many situations there is a need to establish the date and time at 
which a document was created and to prove that the document in question has not 
since then. This problem is especially acute with respect to digital 
documents because they are so easy to alter, since they are generally stored in 
digital form on an easily changeable medium that provides no indication of past 
hi^toiy. However it is stored, it is easy to make a perfect copy of a digital 
document—rso easy that it rarely makes any sense to speak of "the original copy" 
of a computer-based document. Any of these copies can be easily altered, either in 
major or minor ways. By contrast, there arc much better guarantees of the 
integrity of paper documents. For example, making a change to a paper document 
of any sort, even a small change, typically leaves physical forensic evidence. 

In recent years, a number of digital time-stamping systems have been 
proposed. For example, U.S. Patents No. 5,136.647 and 5,136,646, which are 
hereby incorporated by reference in their entirety, describe such systems. The 
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system described in the 5,136,646 patent provides an authentication certificate 
which includes, in addition to a Transaction Number. Client ID Number, Time and 
Date, a Certificate Number. In order to verify the authenticity of a document, the 
records of die time-stamping "authority" are examined in connection with the 
5 Certificate Number at-issue. 

An improved system is described in "Improving the Efficiency and 
Reliability of Digital Time-Stamping," by D. Bayer, S. Haber and W.S. Storaetta 
(in Sequences 11: Methods in Communication, Security, and Computer Science, 
ed. R.M. Capocelli, A. DeSantis and U. Vaccaro, pp. 329-334, Springer- Verlag 
10 New York, 1993). To verify the authenticity of a document time-stamped with a 
system based on a binary tree, that article suggests retaining the set of hash values 
that were directly combined with the document-at-issue's hash value along the path 
to the published root of the tree (along with the "handedness" of those hash 
values). Audientication consists of recomputing the root of the tree from this data. 
15 If a "trustworthy" certificate occurs about every N documents, this system reduces 
the cost of verification fi-om N to log N over a system based on linear linking such 
as that described in "How to Time-Stamp a Digital Document," by S. Haber and 
W.S. Stometta, Journal of Cryptography, Vol. 3, No. 2, pp. 99- 11 1 (1991). 

The digital time-stamping systems described above provide users a 
way to "register" any of their digital documents. A "document," of course, can be 
any sequence of bits, representing the words of a written document, the form of a 
printed text, recorded sound or digitized video, for example. As a result of so 
registering a document, the user receives a time-stamp "certificate" that attests to 
the time of registration and content of the document. When any user is presented 
with a digital document and its time-stamp certificate, the user can validate that the 
given certificate was indeed computed for the given document at the time claimed; 
if that is not the case, then the (document, certificate) pair will fail the validation 
or authentication test. 

Although the above-described systems perform their intended 
fimction, there is always a need for fiirther improvement. For example, systems 
which allow users to simplify their digital document needs are always welcome. 
In particular, consider the simation of two parties who are working on multiple 
versions of a document that they create, modify, transmit, and store in digital form. 
The parties may be authors or scientists collaborating on an article, auditors or 
analysts reviewing accounting records or lawyers negotiating a contract or other 
persons whose work involves intensive creation or manipulation of digital 
documents. Such parties need a convenient way to refer to the documents they 
use, in order to keep records and in order to communicate virith each other. 



wo 96/13921 



3 



PCrAJ595/13837 



Preferably, names for documents should be concise and easy to refer to. Also, a 
name should be unambiguous, at least in the context of its use; this requires some 
connection between the name and the integrity of the document it names. 
Additionally, it would be convenient for a naming scheme to have enough 
flexibility to allow authors to name their documents in a way that (1) reflects a 
structure or relationship between different documents or different parts of the same 
document or (2) includes other information that they deem useful about their 
. documents. 

Generally, schemes for naming digital documents may be classified 
into two different categories: (1) a name can be chosen according to an arbitrary 
convention of some sort or (2) a name may be chosen so ^t it functionally 
depends on the document it names — a functional dependence that is verifiable by 
other parties. An example of an arbitrary naming scheme is the International 
Standard Book Numbering (ISBN) system for published books . An example of a 
"verifiable" (or "self^attesting") naming scheme is one that assigns to any 
docimient its hash value by a specific one-way hash function (further explained 
below). 

Arbitrary naming schemes vary according to how the scheme is 
established or enforced. The usual mechanism involves a choice that is made at a 
specific location (physical or logical). For example, a user's choice of a name for 
a new file created using a word-processing program on a personal computer is 
generally arbitrary and local: the user chooses die name on the personal computer 
according to his or her own convenience. The ISBN and the Library of Congress 
classification systems are also arbitrary; they depend on a non-local central naming 
scheme. Whenever the choice of a name is merely arbitrary, the correlation 
between the name and the object named is not intrinsically verifiable. In other 
words, there is no procedure by which a person can verify that a particular 
document is the same document that was assigned a particular name. 

One way to guarantee that a digital document name is "verifiable** is 
to use a definite mathematical function taking bit-strings as arguments, and to use 
the value of the function, when it is evaluated on a particular document, as the 
"name" of that document. For convenience, the function should be easy to 
compute. In order that the names be unique, the function should also be 
computationally one-to-one. In addition, because of the desire that the name of a 
document should at the very least be shorter than the length of the docimient itself, 
the function should compress its arguments. Therefore, the usual choice for this 
sort of function is a one-way hash function. 
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A one-way hash function is an easily computed function that takes 
arbitrary-length bit-strings as input and produces fixed-length bit-strings as output 
("hash values"). Such functions satisfy the following conditions: (l)itis 
infeasible to find two different inputs that produce the same hash value outout and 
5 (2) given an input and its hash value output, it is infeasible to find a different input 
with the same hash value output. It is a consequence of these conditions that it is 
infeasible to recover any information about a file from its hash value. 

The infeasibility of these computational tasks depends on the current 
' state of the art, both the current state of mathematical (algorithmic) knowledge 
10 about attacking die fimction in question, as well as the computational speed and 
memoiy available in the best current computers. As the state of the ait advances, it 
is possible that a fimction that was once securely one-way will eventually cease to 
be SO; Currently, it is recommended tiiat one-way hash fimctions produce outputs 
that arc at least 128 bits long. For shorter outputs, the fimction is generally not 
15 secure (no matter what its design). As the current state ofthe art advances, the 
recommended length for secure hash fimctions increases. 

While the scheme of naming a document by its one-way hash value 
is intrinsically verifiable, there are several inconvenient features associated with 
such a scheme. First of all, the names are too long for a human user to remember 
< or even to conununicate easily to another human being. Second, the author of a 
document has no control over the form of its name. Widi any one-way hash 
fimction, a documenfs hash value is simply a random-appearing bit-string of tiie 
appropriate length. Thus, inconvenient as it may be for the author, there will be no 
connection between the names of documents that are related to each other, either 
in form or in substance. Similarly, the name of a particular document gives no 
information regarding the underlying named document. Third, as technology 
advances, any particular choice of a fimction for a naming scheme becomes less 
secure, with the result that the name of a long-lived document will need to change 
over time if security is desired. 

In light of the above, it would be desirable to be able to provide an 
improved digital time-stamping system. 

It would also be desirable to be able to provide an improved method 
of working with digital documents. 

It would fiirther be desirable to be able to provide a system for 
assigning a name to a digital document wherein the name is user-friendly, concise, 
easy to refer to, intrinsically verifiable and able to provide infonnation associated 
widi the document named. 
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Summary Of The Inventioii 

It is an object of this invention to provide an improved digital time- 
stamping system. . 

It is also an object of this invention to provide an improved method 

5 ofworking with digital documents. 

It is a fiirdier object of this invention to provide a system for 

assigning a name to a digital document wherein the name is user-friendly, coi^cise, 

easy to refer to, intrinsically verifiable and able to provide information associated 

with the document named. 
10 In accordance with the present invention there is provided a method 

of time-stamping a digital document. The method includes the steps of: (a) 

receiving a first request for registering a first document; (b) receiving, combining 

and hashing other requests to form a repository of a plurality of hash values 

dependent upon a plurality of requests; (c) generating a location pointer for said 

15 first document in said repository; (d) naming said first document by said location 
pointer to provide a first name for said first document; and (e) generating a 
certificate for said first document including said first name. In accordance with the 
invention, not only can the certificate be used to self-authenticate a document at a 
later date, but the name in the certificate can be used to uniquely and conveniently 

20 refer to the time-stamped document. This method allows the time-stamping 

system to be used simultaneously as a naming system widiout the need for separate 
or parallel hardware to be maintained by a service bureau or a user for such 
additional convenience. 

In addition to providing a method for simultaneously time-stamping 

25 and naming a digital document, the present invention also includes a method for 
naming a digital document. The method includes the steps of: (a) receiving a fu-st 
request for naming a first docimient; (b) receiving, combining and hashing other 
requests to form a repository of a plurality of hash values dependent upon a 
pliu-ality of requests; (c) generating a location pointer for said first document in 

30 said repository; and (d) naming said first document by said location pointer to 

provide a self-verifying name for said first dociunent. This aspect of die invention 
provides a name for the digital document that is not only intnnsically verifiable, 
but is concise and easy to use as well. Additionally, the name is able to proyide 
information associated with the docximent named. An added benefit of this aspect 

35 of the invention is that no new additional hardware over that used for the time- 
stamping of digital documents is required. 
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Brief Descriijtion Of The Drawings 

The above and other objects and advantages of the invention will be 
apparent upon consideration of the following detailed description, taken in 
conjunction with the accompanying di^wings, in which like-reference numerals 
5 refer to like-parts throughout, and in which: 

FIG. 1 is a flow diagram of an embodiment of the time-stamping 
process according to the invention; 

FIG. 2A is an illustrative alphanumeric representation of a digital 
document F for certification; 
10 FIG. 2B is a diagram of an illustrative time-stamping request for 

providing a certificate according to the invention for document F of FIG. 2A; 

FIG. 3 is a diagram of a portion of an illustrative binaxy-tree 
authentication and naming repository; 

FIG. 4 is a diagram of an illustrative authentication certificate for 
15 uniquely naming document F of FIG. 2A in connection with the repository of 
FIG. 3; 

FIG. 5 is a flow diagram of another embodiment of the process 
according to the invention for uniquely naming a document; 

FIGS. 6A-6C are diagrams illustrating first, second and third 
20 embodiments, respectively, of the name of document F of FIG. 2 A according to the 
process of FIG. S; and 

FIG. 7 is a diagram of a portion of an illustrative linear-linked-list 
authentication and naming repository. 

Detailed Description Of The Invention 

25 FIG. 1 is a flow diagram of a first embodiment of the time-stamping 

process according to the invention and will be described below in connection with 
FIGS. 2-4 which illustrate various features of the invention. As shown in FIG. 1, 
the present time-stamping procedure 10 begins at step 1 1 where a user prepares a 
request for certification, R, of a digital document, F. An example of an 

30 alphanimieric representation 5 of such a digital document F is shown in FIG. 2A. 
Digital document F may be in the digital form or representation of any 
alphanumeric text (illustrated in FIG. 2A) or video, audio, pictorial or other form 
of fixed data (not shown). Although the present process may be used with 
documents of any length, the excerpt of FIG. 2A is amply representative of a 

35 document for which time-stamping is desired. 
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In accordance with the present invention, FIG. 2B is a diagram of an 
illustrative alphanumeric representation of a time-stamping request R (prepared by 
the requester at step 1 1 of FIG. 1) for providing a certificate for document F 
( FIG. 2 A). Request R includes hash value 21 (as) of document F shown in 
5 FIG. 2 A, requester's file name 22 and requester's identification number 23. For 
convenience in the presentation of this example, hash value 21 (as) is computed 
using the 128-bit fonnat of the MD5 one-way hashing algorithm (described by 
R.L. Rivest in "The MD5 Message-Digest Algorithm," Request for Comments 
(RFC) 1321, Internet Activities Board, April, 1992) and expressed in base sixteen 

10 (16). Of course, other one-way hashing algorithms could be used as well (for 
example, the MD4 algorithm or the National Institute of Standards and 
Technology's Secure Hash Algorithm [SHA] specified in Federal Information 
Processing Standard [FIPS] PUB 180).; It should be noted that the alphanumeric 
and other numerical value representations used in this example are not in such 

15 fomi cmcial to the implementation of the invention. That is to say, other 
representations could be used as well. 

As shown in FIG. 2B, requester's file name 22 is used to allow the 
requester to identify the particular file that is the subject matter of the request. 
Generally, it has no significance to a service bureau's certification of the user's 

20 document and is optional to the request R. Requester's identification number 23 is 
used to allow the service bureau to identify the particular requester who has 
requested the certification of a document. 

Referring back to FIG. 1, after a user prepares a request for 
certification R of a digital document F (FIG. 2A) at step 1 1, the user transmits 

25 request 20 (FIG. 2B) to the service bureau at step 12. At step 13, the service 

bureau combines requests. By doing so the service bureau takes fi^om R hash value 
as (FIG. 2B) of document F and combines (e.g.> concatenates) that value with the 
hash value a^ of a second document which is the subject matter of a second 
request for certification. At step 14, the service bureau hashes the composite to 

30 create a new hash value linked to hash values as and a^ by a one-way hash 
function. This aspect of the present invention is illustrated by FIG. 3 and the 
Table (appended below before the claims) which are, respectively, a diagram of a 
portion of an illustrative authentication iand luuiung repository (e.g., binary tree) in 
accordance witii the principles of the present invention and a table illustrating 

35 exemplary MD5 hash values for the repository of FIG. 3 when document F 

comprises the text of FIG. 2A. As illustrated in FIG. 3, digital document F is the 
subject matter of a request for certification R which, in turn; includes hash value 
as. As shown in the Table below (Subtree A), as (for document F of FIG. 2 A) has 
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a value "b767290cff8c87194cf3061308a9794a". (For purposes of this illustrative 
example, hash values ai-a4, ag-ag. bi-bg. di, dyds and dg in the Table have been 
assigned arbitrary values.) 

At steps 13 and 14 of FIG. 1, hash value af would be combined (e.g. . 
concatenated) with hash value a^ and the composite would be hashed to provide a 
new hash value represented in FIG. 3 by A5.5 (wherein the subscript "5-6" 
represents that the resulting hash value is derived from the fifth and sixth leaves of 
subtree A). In other words, the first bit-string as is combined with the second bit- 
string ag and the result is hashed to form a new bit-string A5.6. (For example, in 
connection with FIG. 3 and the Table, the concatenation of a5 and a^ is 
"b767290cff8c87194c£3061308a9794al5812318c8ecld2cf94a79cb8952f3c2" 
while its hash value is "9dad90bbe£28047744a26865acbf24ee".) At step 15 in 
FIG. 1, the service bureau continues to receive, combine and hash other requests 
for certification and forms a repository (for example, in FIG. 3, a tree) of resulting 
hash values (as illustrated in FIG. 3). In particular, as illustrated in FIG. 3, hash 
values a7 and ag are combined and hashed to form a resulting hash value A7.g. 
Thereafter, hash values A5.6 and A7.g and are combined and hashed to form 
resulting hash value A5.g. Similarly, hash values ai, a2, a3 and a4 are 
appropriately combined and hashed together to form A 1.2 and A3^ which, in 
turn, are combined together and then hashed to form hash value Ai^. Then, 
subtree A is **closed ofiT by combining Ai^ and A5.g together wherein the 
composite is then hashed to form hash value Ai.g (wherein the subscript "1-8" 
represents that the resulting hash value is derived from the first through eighth 
leaves of subtree A). In other words, the documents represented by hash values aj 
through ag are linked together in subtree A, which forms a repository for those 
hash values. The elements of this repository are, in turn, linked together via the 
hash values Ai-j. 

Referring to FIG. 3, the service bureau can continue to receive 
additional requests including document hash values bi, b2, b3, b4, bs, bg, hj and 
bg which are used to foim a subtree B with a root B i^g. As the service bureau 
continues to receive additional requests including document hash values dj, d3, 
^4* ^5f cl6 and dg, these hash values are combined with hash values d2 and d7 
(which are respectively derived from roots Aj-g and Bj^g) to form a final tree D 
comprised of hash values D1.2, D3^, 05,5 and D7,g and, in turn, Di^ and Ds.g. 
D1.4 and D5.g are then combined together with the composite being hashed to 
form the root of tree D, hash value Dj.g. 

Referring back to FIG. I, step 16 of process 10 involves determining 
an item to be secured. (For example, in FIG. 3, subtrees A, B and D are closed off 
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while root Di.g is the item to be secured.) As discussed below, at a later time 
before authentication, the item to be secured is secured by either (1) causing the 
item to be secured to be directly published (i.e., widely witnessed and widely 
available) or (2) linking the item to be secured to another hash value that is directly 
published. At step 17, with respect to request for certification R, the service 
bureau calculates the "self-verifying*' hash values, defined as those hash values 
necessary to authenticate document F with respect to die secured item Di.g: a^, 
A7.8, Ai^, di, and Df.g. Step 17 also involves calculating the location 
values (e.g., in FIG. 3, die **handedness" values) of the self-verifying hash values 
for a^, A7.8. Ai^, di, and 05.3: R, R, L, L, R and R; respectively (As 
used herein, "L" refers to left and -R" refers to right). 

With this list of hash values and their associated location values 
(which can be obtained, for example, from an authentication certificate as 
explained below), if at a later date a party desires to prove the authenticity of a 
document F as that which was received and registered by the service bureau at the 
time that secured item Dj.g was computed (i.e., that F is the same as F), the 
following steps would be performed. First, the hash of document F would be 
combined on the right with self-verifying hash value a^ and the composite would 
be hashed to form A*s.6* Second, hash value A'5.6 would be combinied on' the! 
right with self-verifying hash value A7.g and the composite would be hashed to 
form A's.g. Third, hash value A'5.8 would be combined on the left with self- 
verifying hash value Ai^ and Ae composite would be hashed to form A*i.g. 
Fourth, hash value A'i.g would be combined on the left with self-verifying hash 
value di, and the composite would be hashed to form D'1.2- Fifth, hash value 
D'x.2 would be combined on the right with self-verifying hash value and the 
composite would be hashed to form D'l^. Sixth, hash value D'l^ would be 
combined on the right with self-verifying hash value D5.g and the composite 
would be hashed to form D*i.g. Accordingly, if the alleged docimient F is ^ 
authentic, then D*i.g would yield the correct hash value Dj.g (i.eJ, D*i.g = Di.g) 
as obtained from published or secured records (e.g.. from aiiy one of a variety of 
sites that store validation records). Otherwise, a revised document would hash to a 
different value. 

Another feature of the digital time-stamping system of the present 
invention is that it facilitates quick registration of a document without the need for 
quick publication for validation purposes. In other words, certificates can be 
provided even though publication may not take place at the given point in time 
when the certificate is generated and transmitted to the requester. The only 
requirement is that some type of publication event occur prior to the time a user 
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desires to validate a (document, certilicate) pair. For example, refening to FIG. 3, 
hash value Di.g does not necessarily have to be "published" at die time of 
registration of the documents represented by hash values ai through ag, as long as 
it is eventually secured (i.e., it is directly published or securely linked to a hash 
5 value that is). In contrast to other time-stamping methods, diis feature of the 
present invention allows for quick response time to requests for registration 
without requiring a correspondingly quick publication time. By decoupling the 
registration-request process from the publication process, the time-stamping 
system is better adapted to handle larger volumes of registration requests (that are 
10 expeditiously frilfilled) without burdening the service bureau repository manager 
with die need for expensively frequent publication. 

Refening back to FIG. 1, the process continues to step 18 where the 
service bureau combines location values (e.p.. handedness) and the identifier for 
the item to be secured (e.g.. root) Dj.g to form a composite 
1 5 "RRLLRR{D i .gldentifier] ". In accordance with a feature of the present invention, 
this combination (e.g.. concatenation) can be used as a "name" for document F 
which not only is short and concise, but is unique and self-authenticating as well. 
For example, there is only one document in the world which can have the name 
"RRLLRR [Di.gldentifier]". This name is much shorter than the lengtfi of a 
20 typical useful hash value which generally is 128 bits or longer in lengdi. 

Moreover, use of die name in conjunction with the hash values it inherently refers 
to can be used to verify tiiat the particular document it refers to is authentic. 

In accordance with the present invention, the process continues to 
optional step 19 where the unique name generated by step 18 can be fiirdier 
abbreviated to form an even shorter "nickname." For example, the name 
"RRLLRR[Di.gIdentifier]" can be represented in an alphanumeric format by first 
converting to a base two representation, es» "001 100[Di.gIdentifier in base 2]", 
and then to an alphanumeric representation. This "nickname" feature of the 
present invention is particularly adapted to allow a person to quickly jot down the 
name of a time-stamped document when that document is referred to over the 
telephone, for example. In particular, document F, which could have a hash value 
comprised of 128 or more bits, for example, would have a "nickname" in 
accordance with the present invention of less than about ten characters or die 
length of a long distance telephone nimiber in the United States. 

Referring to FIG. 1, the process continues to step 20 where the 
service bureau creates an audientication certificate for document F by including 
the self-verifying hash values, location (e.g.. handedness) values for those hash 
values and the unique name or nickname for document F. FIG. 4 is a diagram of 
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an illustrative authentication certificate 30 for document F of FIG. 2 A in 
connection with the repository of FIG. 3 wherein the hash values of subtrees A, B 
and D take on the values set forth in the Table below. Certificate 30 includes four 
types of infonnation: (i) self-verifying hash values with associated handedness 
values 3 1, (ii) a pointer 32 to the root Di^s (for example, in FIG. 4, pointer 32 
— 2e5347f5 — is an illustrative unique identifier for root D^.g in an alphanumeric 
base and, as discussed below, represents the time when root D].g was computed, 
(iii) document Fs unique name 33 and (iv) document Fs unique nickname 34. If 
desired, certificate 30 could include the infonnation from request 20 of FIG* 2B. 
Additionally, name 33 could be left off the certificate to simplify its look. Process 
10 of FIG. 1 dien continues to step 21 where certificate 30 is transmitted by the 
service |>ureau back to the user. 

Thus, FIGS. 1-4 illustrate an embodiment of the present invention 
wherein a document F is time-stamped and an authentication certificate is provided 
which not only can be used to verify the autiienticity of an alleged document F' at a 
later date, but can be used to uniquely refer to document F in a quick and easy 
maimer. This additional ''naming'* feature of the time-stamping system of the 
present invention does not require additional or parallel hardware, by the service 
bureau or the user, for providing the extra convenience of ''naming'' to its users. 

. . In accordance with another aspect of the present invention, the 
process of the invfsmtion could.be used to provide a unique and self-verifying 
"name" for a document without the need to be accompanied by a certificate 
including the document's self-verifying hash values. This feature of the present 
invention is illustrated by FIG. 5, which is a flow diagram of another embodiment 
of the process according to the invention. Process 40 begins at step 41 where a 
user prepares a request RN to name a digital document F. For example, the 
request RN.could include the information present on time-stamping request R of 
FIG. 2B. Process 40 then continues to step 42 where the requester transmits the 
request to the service bureau. At step 43, the service bureau combines (e.g.. 
concatenates ) requests. By doing so, the service bureau takes the hash value of 
the subject document and combines (e.g.. concatenates) diat value with the hash 
value of a second document which is the subject matter of a second request to 
name similar to FIG. 1 above. In an alternative, the second request coiild be that 
of a request to provide a time-stamp certificate using the same service bureau 
system. From the standpoint of the service bureau, the type of request is generally 
not important. 

At step 44, the service bureau hashes the composite to create a new 
hash value as in FIG. 1 above. At step 45, the service bureau continues to receive. 
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combine and hash other requests for names (or certification) and forms a 
repository fe.g,, a tree) of resulting, linked hash values (similar to FIG. 3). At step 
46 the service bureau identifies an item to be secured (e.g. , the root Di.g). As 
discussed in FIG. 1 above, at a later time before authentication, the item to be 
secured is secured by either (1) causing the item to be secured to be directly 
published (i.e., widely wimessed and widely available) or (2) linking the item to be 
secured to another hash value that is directly published. At step 47, with respect to 
request to name RN, the service bureau calculates the "self-verifying" hash values 
and the location values (e.g., "handedness**) of the self-verifying hash values for 
the subject document similar to step 17 of FIG. 1. At step 48, the service bureau 
combines location values and an identifier for root Di.g to form a composite 
similar to FIG. 1. At optional step 49, the unique name generated by step 48 can 
be further abbreviated to form an even shorter "nickname" similar to FIG. 1. 

The process then continues to step 50 where the service bureau 
transmits the "name" back to the requester. In accordance with the present 
invention, FIGS. 6A-6C illustrate first, second and third embodiments, 
respectively, of illustrative names according to process 40 of FIG. 5. As shown in 
FIG. 6A, name 55 comprises the combination (e.g.. concatenation) of location 
values (e.g., handedness values) with a root identifier (e.g.. a root identified by the 
time it was published: "8/18/94 7:37:25 AM EDT"). In FIG. 6B. name 55 of FIG. 
6A is expressed in a base two representation 56 using an equivalent time (e.g., in 
UNIX standard time: the number of seconds since the first second of 1970 in 
Greenwich Mean Time). In FIG. 6C, name 56 of FIG. 6B is further simplified by 
expression in an alphanumeric format 57. Of course, although "time" was used as 
the root identifier in FIGS. 6A-6C, other unique identifiers could be used as well. 
For example, a sequential root publication number could also be used, i.e., the 
number of roots that were published since a given publication. Such a sequential 
root publication number uniquely identifies a root just as well as the time at which 
a root is published. 

After a name N is computed for a particular document F, if at a later 
date a party desires to authenticate the connection between tiie name N and a 
document-at-issue F, the party would need to obtain a copy of the authentication 
certificate C (from a storage facility or other means) and then proceed as follows. 
First, the party would verify that N was correctly extracted fi-om the information 
contained in C. Next, the party would proceed with the validation procedure 
discussed above in connection with FIG. 1. 

Thus, in accordance with the process of FIG, 5, a name or nickname 
is provided for a digital document which is not only intrinsically verifiable but is 
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short and simple and can be referred to or written down quickly. For example, as 
shown in FIG. 6C, the process of FIG. 5 can provide a name having less than about 
forty (40) bits (i.e., less than about ten hexadecimal digits) even though the 
document it is referring to has a typical hash value of at least 128 bits. (However, 

5 there are more compact alphanumeric encodings of bit-strings than the 

hexadecimal representation. For example, UUCP printable-character encoding 
enq>loys six bits rather than four bits per alphanumeric character. In such 
encoding, the name iUustrated in FIG. 6C would be only seven characters long - - 
the length of a local telephone number in the United States.) Moreover, the 

10 "name" of the document is unique. In other words, no other document iiamed by 
the system employing the method of FIG. 5 will have the same "name." This is 
inherently guaruiteed by flie method of the present invention. Moreover, the 
hardware to provide the name can also be used to time-stamp digital documents. 

Although the invention has been described above with reference to 

1 5 FIG. 3 wlierein a "binary" tree has been illustrated as the repository for linking and 
securing hash values, there are many other wa:ys of implementing Ae inventioii. 
For example, the "repository" of the present invention may be a ternary, 
quaternary, or k-aiy tree, or any combination thereof, instead of a binary tree. Of 
course, although FIG. 3 illustrates three subtrees A, B and D, each iiicludin^ eight 

20 leaves, other tree and subtree arrangements or combinations could be used as well. 
The only constraint is that the items in the repository be linked via a hash function 
which allows the repository to be secured by a publicatiori event." hi matiiematical 
terms, it suffices that the items in the repository form a growing directed acyclic 
graph in which occasionally fliere isf an item to which every item in tiie graph can 

25 be linked by a directed path. 

Accordingly, linear linked lists or other types of accmnulations of 
hash values may be used as well. For example, linear linked lists such as those 
described in "How to Time-Stamp a Digital Document," by S. Haber and W.S. 
Stometta, Joiimal of Cryptography, VoL 3, No. 2, pp. 99-1 1 1 (1991) may be used 

30 instead! This is illustrated by FIG. 7 which is a diagram of a portion of an 

illustrative linear linked list for implemcntinjg the naming process of the present 
invention. As shown in FIG. 7, requests to riame Ri, R2 and R3 are aissociated 
with digital documents Fi, F2 and F3, respectively. Requests Ri, R2 and R3 can 
be similar to those discussed above in connection with FIG. 2B. These requests 

35 are transmitted to the service bureau where Ac service bureau, in turn, takes the 
document hash value ai of document Fi and combines it with a pre-existing hash 
value Ao and then hashes the composite to provide a new linking hash value Aq-I . 
This new linking hash value Aq-I is then combined with the document hash value 



wo 9^23921 



14 



PCT/US9S/13837 



a2, associated with document F2, and the composite is hashed to provide a new 
linking hash value A1.2. Similarly, the new linking hash value A 1.2 is then 
combined with document hash value a3, associated with document F3, and the 
composite is hashed to provide a new linking hash value A3^. 

This process continues for as long as desired to form an 
accumulation or repository of linked hash values for securing the integrity of a 
corresponding accumulation of underlying digital documents. Periodically the 
service bureau secures the repository by publishing a portion of the repository (for 
example, in FIG. 7, linking hash value A4.3 ) so that a requester can use a 
certificate including a unique "name." Similar to FIGS. 1-6, the "name" is derived 
from a combination of a representation of a first location pointer to the "published" 
linking hash value (e.g.. a pointer to linking hash value A4.5) with a representation 
of a second pointer firom the particular document to be named within the repository 
to the "published" linking hash value. For the linear linked list of FIG. 7, such a 
second pointer could simply be an integer count of the number of linking hash 
values between the "published" linking hash value and the hash value of the 
document to be named. For example, for documents Fj, F2 and F3 of FIG. 7, this 
number could be 4, 3 and 2, respectively. As a result, the "names" for documents 
Fi, F2 and F3, for this particular embodiment, could be: "4[location pointer to 
linking hash value A4-5]"; "3[location pointer to linking hash value A4.5]"; and 
"2[location pointer to linking hash value A4.5]". In accordance with the invention, 
such names are not only short, concise and unique, but self-verifying as well. 

In accordance with the present invention, other methods of linldng 
hash values can also be used. For example, roots of frequently-computed trees 
(S^, every second or minute) can be combined into daily trees whose roots can be 
combined into linear linked lists. 

In sununary, the present invention includes a method for naming a 
digital document that retains the verifiable security of naming documents solely by 
their hash values, while avoiding many of the constraints Usted above in 
connection with naming documents in this way. The essence of this aspect of the 
present invention is to keep a repository of hash values that depend on many 
digital documents, and to name each document by a concise description of a 
location in the repository to which the name can be "linked". 

In a preferred embodiment of the invention, bit-strings are "linked" 
by the use of one-way hash functions. By systematically invoking a hash function 
on pairs or ordered lists of hash values, new hash values are computed from old 
ones so as to form linked lists, binary trees, or other combinatorial structures. In 
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this way, documents are linked to the repository, and the elements of the repository 
are linked to each odier. 

The repositoiy is secured by making portions of it widely witnessed 
and widely available by any of various means. Other portions of the repository — 
5 and any documem that has been registered — are secured by linking such portions 
and documents to the widely available portions. 

No matter what the exact form of the combinatorial structure formed 
by the growing pattern (i.e., the directed acyclic graph) of hash values, a list of 
hash values and accompanying (very concise) structural "driving directions" or 

10 location information is used to link a particular digital document with a 

summarizing widely available hash value in the repository. This list of hash values 
and location information can be placed in an authenticating certificate for the 
document. Only an exact copy of the registered document can be linked with this 
certificate and location in the repository. This is due to the properties of the one- 

1 5 way hash fiiiiction, and to the widely witnessed and widely available nature of the 
repository records. : . ; 

Accordingly, a document that has such an authenticating certificate 
is given as a name a concise encoding of the relevant location iiiformation. No 
other (documient, certificate) pair csk be compiited that "has this name." 

20 In accordance with the present invention, flie naming metfiod can be 

embodied in different ways. Different coinbinatbrial striictures can be combined 
in different ways, with different levels of wide wimessing. For example, flierc can 
be a direct link to the widely-witnessed fabric of the repository. In particular, all 
records kept by ia repositoiy manager caii be publicized and location information 
25 can be as simple as a direct pointer. In an alternative, there could be local trees (or 
lists) where a user builds his or her own trees (or other structures) (sjg., subtrees 
"A" and "B" in FIG. 3) whose roots are regularly sent to the repository manager 
for linking to the widely witnesised part of the repository records. 

In certain implementations of the invention, this naming me&od 

30 allows a user a faiir measure of personal control and choice over the names of his 
or her documents. Consider, for example, a local-tree implementation, for which 
the Ibcation information for a particular docuinent may be writteii as a position in a 
local tree followed by a position in a service bureau's tree. A user can name a 
multi-part document by placing each successive part at consecutive leaf nodes of 

35 an appropriate local tree (or other structure). For exainple, in FIG. 3, the eight 
hash values a i through ag could rcpreseht eight chapters in a book. Thus, such 
consecutive parts of the document have consecutive local positions in the local tree 
(or structure). Thereafter, when a local repositoiy manager forwards the root of 
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such local tree to a service bureau repository manager, the resulting registration 
information gives such consecutive parts of the document consecutive names under 
an appropriate encoding of local information. An example of an appropriate 
encoding is by simple sequential numbering of the leaves. Furthermore, the non- 
local portions of these names are identical, explicitly encoding the fact that they 
are part of the same document. For example, with reference to FIG. 3 and the 
Table below, where hash values aj through ag represent consecutive parts of a 
multi-part document and "3e5347f5" is an identifier for root Di^g, the "names" of 
the documents represented by hash values ai through ag could be as follows: 
ai : •'l-LRR-2e5347f5"; a2 : "2-LRR.2e5347f5"; as : "3-LRR-2e5347f5"; 
34 : "4.LRR-2e5347f5"; as : "5-LRR-2e5347f5"; ae : "6.LRR-2e5347f5"; 
a7 : "7-LRR.2c5347f5"; and ag : "8-LRR.2e5347f5". 

More complicated ways of structuring the parts of a document can 
similarly be encoded in the self-attesting names assigned by the naming method of 
the present invention. For example, in FIG. 3, dj through dg could represent eight 
individual chapters in a book wherein the chapters represented by d2 and d-j could 
each, in turn, have eight sections represented by hash values aj through ag, and bi 
through bg, respectively. Accordingly, under such circumstances, the "names" of 
the various parts of the document represented by hash values a^, bj and d^ in 
FIG. 3, for example, could be as follows if hash value Di.g is sent to the service 
bureau repository manager and the local repository manager receives, in return, the 
nameN: ai : "1-2-N"; a2 : "2.2-N"; as : "3-2-N"; 34 : "4.2-N"; as : "5.2-N"; 
a^ : "6-2.N"; ay : "7.2.N"; ag : "8-2-N"; bi : "1.7-N"; b2 : "2-7.N"; : "3-7-N"; 
b4 : "4.7-N"; hs : "5-7.N"; he : "6.7-N"; by : "7.7-N"; bg : "8-7.N"; di : "l-N"; 
d2 : "2.N"; da : "3.N"; d4 : "4-N"; 65 : "S-N"; d^ : "6-N"; dj : "7.N"; and 
dg : "8-N" . 

In another implementation, a table of contents for a long or 
complicated multi-part document can be included in a standard place in the 
request. For example, in FIG. 3, dg could represent a table of contents document 
for a seven-chapter book represented by di (chapter 1) through d7(chapter 7) 
wherein the chapters represented by d2 and dj could each, in turn, have eight 
sections represented by hash values a j (section 1) through ag(section 8), and 
bi(section 1) through bg(section 8), respectively. A feature of this aspect of the 
present invention is that a single self-verifiable document of the multi-part 
document (i.e., the table of contents) contains a description of all the parts of the 
document, allowing that single document to be used to list those parts of the 
document that may relate to a particular topic. At a later time, together with a 
collection of documents to be authenticated and their alleged certificates, such an 
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authenticated list can be used to verify that (1) each of such documents is an exact 
copy of a respective document that was registered with the table of contents and 
(2) none of &e dbciiinents on such list are missing. 

This method for using names to encode document organization is 

5 only one of several different ways in which the self-attesting names of the present 
invention can be meaningful to human readers and iisers of digital documents. For 
example, one convenient way to encode the location in the repository to which a 
document is linked is by the date and time — something that is easily 
comprehensible. See FIG. 6A, for example. 

10 Another way to make the system's names more meaningful and 

useful to users would allow users to have "personalized" naming requests as 
follows. Suppose that the service bureau's repository records are formatted in a 
standard way every day by closing off a binary tree once every minute), and 
let F( ) denote a standard mapping from ASCII-encoded strings to die list of 

1 5 daily repository-record locations (e^ to the minutes of the day). A personalized 
naming request is accompanied by an ASCII-encoded string of characters, e^ 
"ABC Corp." or "John Smith's Ph.D. Dissertation". Each day's personalized 
naming requests are then linked by the repository manager to die location named 
by evaluating F( ) on die ASCII-encoded string provided, for example, by linking 

20 the request to the tree rooted at the minute given by F("ABC Corp.") or 

FC'John Smitii's Ph.D. Dissertation"). In this way the requester's personalized 
choice of character string ~ any uifotmation diat die requester deems to be useful 
about the document - can be made to be part of die self-attesting name of the 
document named. Of course, a similar technique could be adapted at other time 

25 scales, for example, every hour instead of every minute. 

Additionally, die method described in co-pending U.S. patent Apphi. 
Serial No. 07/992,883, filed December 21, 1992, incorporated herein by reference 
in its entirety (as well as in "Improving the Efficiency and Reliability of Digital 
Time-Stamping", D. Bayer, S. Haber and W. S. Stometta, in Sequences H: 

30 Mediods in Communication, Security, and Computer Science, eds. R.M. Capocelh, 
A. DeSantis, U. Vaccaro, pp. 329-334, Springer-Verlag, New York, 1993), for 
renewing cryptographic certificates of authenticity applies directiy to the 
certificates of die present naming mediod. Therefore, as long as die certificates are 
appropriately renewed as technology advances, die self-attesting names assigned 

35 by die present mediod have long-term validity widiout any need to change diem. 

In summary, this aspect of the present invention is an improvement 
over conventional naming methods because the names assigned herein are self- 
attesting in a universally verifiable manner (even if die naming procedure is 
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primarily a local operation). This aspect of the present invention is also an 
improvement over current document-intrinsic naming methods because the names 
assigned by this method are short, meaningful, flexible, renewable (and thus secure 
for the long term) and provide information chosen by the requester to associate 
with the document named. Furthermore, the naming system is scaleable to handle 
very large volumes of naming requests. 

One skilled in the art will appreciate that the present invention can 
be practiced by other than the described embodiments, which are presented here 
for purposes of illustration and not of limitation, and that the present invention is 
limited only by the claims that follow. 
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TABLE 
Subtree A 

Haah Vahie 

f 5494db92e6c8483b9bdaa4bfl78c303 

54aa060f7879fb2fl2da49b4d2ad5254 

4479b9a001fi4169711491324S42eb3b 

48625e69904312c4e039520dldc393ed 

7afbd853i0f93c94877fa65a94babl4b 

745499ea7fe4i566ec79al994464dee88 

264a9942bel305a52b9a9e63507e7777 

bl9f5a580al7d249bl8feb8b3cl32119 

09e41441b6251dc67064d9796d0b52f9 

9dad90bbef 28047744a26865acbf 24ee 

b767290cff8c87194cf3061308a9794a 

15812318c8ecld2cf 94a79cb8 952f3c2 

b3c0c347506aleac762e070f 1864da8d 

4 7bd8 8b22 Ilbe3acd7al 0 9ae8a902bf b 
58be9247a381d4b2b79745e919ccdb9d 
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Subtree B 





HashValu^ 


»l-8 


45cef3b358ec01313e22cb2abfcf0299 


^1-4 


084839f9l4473dfe9aab074d3d3c82e0 


^1-2 


89849b2a43c86dl2c4be34b81elcb6c7 


^1 


497250ca00d69f681dd99bef275fcf06 


^2 


5c3eldfld74c7c804598cddd02e05dc6 


^3-4 


200f7492af69313e6331aaa0e9938647 


^3 


048be0bla8f2a5dadf75f9dllbldf5c2 




937d8c5ec6fl085d8f89132a9bl508f8 


^5-8 


4f769acl52b7f 12c8edecbc7ec9e9090 


^5-6 


87612a79a6968f7ba5c2al32c4fd4ccc 


^5 


4506c79el6d3c26a065dfl52Self4eab 


.^6 


9ca9b5b4da971d7768bbb9e966560918 


^7-8 


36322496299c8dadd78fla2473376b4d 


^7 


f826135900865S8cl80efll96993eb4b 


be 


89979c5f999e300cl2334edlc40b26be 
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Subtree D 

Haah Value 

8c0c0f081ece86263e0501986a276ee6 
89757d912c9e0d83 95b9be3 98aab3c7c 
95f f 9e47d7a27c5385ae4d5bld99efal 
eb25849cc40bl6d211cl9cf 765af 6ef 8 
f 5494db92e6c8483b9]bdaa4bf 178C303 
434be43a460f4261124d4da7c2a3c7a8 
dl8b443860f f0634514c9c45ea4bbbf 0 
9dd05563ee£31a9fae805d4e09ai45ee 
2eal41bf 7alca4d91aa29c805cffda4d 
5f 666477f7823ae4703bf00c798efbfa 
ecd8b30555ce9b6 958844a2e2367b558 
9f 79e3bbl736 8c5563 84 0996f 126628f 
af eOdcf 82629669b3 96f 90e8b4e6434e 
45cef 3b358ec01313e22cb2abf cf 0299 
f4156627215420bfd7f79cdc24cc0f37 
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What is claimed is: 

1. A method of registering a first digital documem for 
authentication comprising the steps of: 

(a) receiving a first request for registering the first 

document; 

(b) receiving, combining and hashing other requests to 
form a repository of a plurality of hash values dependent upon a plurality of 
requests; 

(c) generating a location pointer for said furst dociunent in 
said repository; 

(d) naming said first document by said location pointer to 
provide a first name for said first document; and 

(e) generating a certificate for said first document 
including said first name. 

2. The method of claim 1 wherein said combining comprises 
concatenating. 

3. The method of claim 1 further including the step of securing 
the repository by publishing an item of the repository. 

4. The method of claim 3 wherein step (c) comprises 
determining the list of self-verifying hash values for the first document and 
associated location values for said self-verifying hash values. 

5. The method of claim 4 wherein step (d) comprises naming 
said first document by an identifier of said published item and by said location 
values to provide die first name for said first document. 

6. The method of claim 5 wherein said certificate fiirther 
includes the list of self-verifying hash values. 

7. The method of claim 6 wherein said repository is a tree and 
said published item is a root of said tree. 

8. The method of claim 3 wherein the identifier of said 
published item includes a user-fiicndly representation of the date or time at which 
the item was computled. 

9. The method of claim 7 wherein said step of naming said first 
document comprises applying a compact encoding algorithm to a combination of 
said associated location values and said identifier of said published item to provide 
a simplified alpha-numeric name for said first document. 



